Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 14 Oct 2012 02:35:19 -0500
From: Auburn Study <sse.auburn.study@...il.com>
To: musl@...ts.openwall.com
Subject: Buffer Overflow Study at Auburn University - musl libc developers I
 would really appreciate your help!

Hi All,

I am a graduate student at Auburn University, working with Dr. Munawar
Hafiz on an empirical study project to understand the software engineering
practices used in companies that produce secure software. In particular, we
are concentrating on how developers write code to prevent buffer overflow
and integer overflow vulnerabilities. We are interested in the software
development process: how you develop software, how you test and analyze
programs to detect vulnerabilities, and what processes you follow to remove
bugs. We are looking into automated tools that software developers use, and
are expecting that there is a common insight in the security engineering
process that can be reusable.

We request your assistance by participating in this research study.  We
would greatly appreciate it if you would share your experience with us by
answering the questions at the end of this email. We may send some follow
up questions based on your response in future. Your response(s) will be
kept confidential, and will only be aggregated with those of other
reporters. Please let us know if you have any questions or concerns
regarding the study. Thanks in advance for your support.



Yasmeen Rawajfih
Software Analysis, Transformations and Security Group
Auburn University

Working under the supervision of:
Dr. Munawar Hafiz
Assistant Professor
Dept. of Computer Science and Software Engineering
Auburn University
Auburn, AL
http://munawarhafiz.com/



Questions: (There are ten questions.)

1.       How long have you been a software developer?


2.       How long have you been affiliated with musl libc? Were you part of
the original development team for this software?


3.       What is the size of the current code base?


4.       Did you follow a coding standard when developing this software? Is
it a standard determined by your group?


5.       What did you use to manage bug reports in your software? Does it
satisfy your requirements? Are there other software options that you would
consider switching to?


6.       Did you use any compiler options to detect integer overflow
vulnerabilities? Do you think that they are useful?


7.       Did you use any automated (static or dynamic analysis) tools to
detect buffer overflows, integer overflows, or any other bugs? Which tools
did you use? Why these tools?


8.       Did you use fuzzing? Which tools did you use and why? If you wrote
your own fuzzer, why did you write it yourself? Was it written from scratch
or by extending some other fuzzing tools?


9.       Did you have specific phases during development where you
concentrated on fixing security issues? Did you have a test suite, unit
tests, or regression tests?


10.   Buffer overflows often result from the use of unsafe functions, such
as strcpy. Does your software use those? If you use a different string
library, why is it used? Is it an in-house library or an off-the-shelf
library? Did you migrate your code to use the string library?

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.